The newest smartphones in Samsung’s Galaxy line come with contactless mobile payment capability. That’s good news when it comes to convenience, but it might be bad news when it comes to security.
During a presentation given recently at the Def Con security conference in Las Vegas, a computer science student demonstrated a variety of attacks against Samsung Pay, Samsung’s mobile payment service.
The attacks Mendoza described were able to intercept or fabricate payment tokens, which are the single-use codes created by users’ smartphones that they can use to pay via credit card accounts without using card information. The tokens are sent from the users’ devices to payment terminals during wireless purchases, and expire 24 hours after they’re issued.
During the demonstration, Mendoza used a wrist-mounted device to skim tokens generated by another user’s smartphone. “If a Samsung customer tries to use Samsung Pay but something happens in the middle of the transaction . . . that token [is] still alive,” said Mendoza. “An attacker could jam the transaction process to make Samsung Pay failed [sic] and force it to generate the next token.”
In his presentation, Mendoza also said that he has uncovered patterns in Samsung’s method of token generation that, at least in theory, could let a hacker make his own valid tokens via educated guesses. He didn’t say whether or not he’s been able to do this himself.
Samsung took issue with that allegation in a post on its security blog. “Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials,” according to the company’s mobile security staff.
What makes a scenario such as the one described by Mendoza implausible is that the attacker must be physically close to the smartphone user who is in the process of making a purchase, according to Samsung.
Additionally, such a scam would require split-second timing — waiting for someone to buy something, intercepting the signal between the smartphone and the payment terminal, grabbing the token from the user’s phone, and then using it before the user can. Samsung called that process “extremely difficult.”
However, in a FAQ page linked to the blog post, Samsung acknowledged that there are scenarios in which someone could skim a user’s payment token and make a fraudulent purchase with that person’s card. Samsung and the payment firms it works with classify those sorts of scenarios as acceptable risks for mobile payment users. That method of payment is no more hazardous than using a credit card, according to the company.